Language and Page Formatting Options
Chapter 46. Strengthening Kerberos security with PAC information
The following sections explain how Identity Management (IdM) works with Privilege Attribute Certificate (PAC) information by default since RHEL 8.5. Also, you can enable Security Identifiers (SIDs) in IdM deployments that were installed before RHEL 8.5.
46.1. Privilege Attribute Certificate (PAC) use in IdM
To increase security, RHEL Identity Management (IdM) now issues Kerberos tickets with Privilege Attribute Certificate (PAC) information by default in new deployments. A PAC has rich information about a Kerberos principal, including its Security Identifier (SID), group memberships, and home directory information.
SIDs, which Microsoft Active Directory (AD) uses by default, are globally unique identifiers that are never reused. SIDs express multiple namespaces: each domain has a SID, which is a prefix in the SID of each object.
Starting from RHEL 8.5, when you install an IdM server or replica, the installation script generates SIDs for users and groups by default. This allows IdM to work with PAC data. If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you may not have generated SIDs for your IdM objects. For more information about generating SIDs for your IdM objects, see Enabling Security Identifiers (SIDs) in IdM.
By evaluating PAC information in Kerberos tickets, you can control resource access with much greater detail. For example, the Administrator account in one domain has a uniquely different SID than the Administrator account in any other domain. In an IdM environment with a trust to an AD domain, you can set access controls based on globally unique SIDs rather than simple user names or UIDs that might repeat in different locations, such as every Linux
root account having a UID of 0.
46.2. Enabling Security Identifiers (SIDs) in IdM
If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you might not have generated Security Identifiers (SIDs) for your IdM objects. This is because, before, the only way to generate SIDs was to run the
ipa-adtrust-install command to add the Trust Controller role to an IdM server.
As of RHEL 8.6, Kerberos in IdM requires that your IdM objects have SIDs, which are necessary for security based on Privilege Access Certificate (PAC) information.
- You installed IdM before RHEL 8.5.
You have not run the
ipa-sidgentask, which is part of configuring a trust with an Active Directory domain.
- You can authenticate as the IdM admin account.
Enable SID usage and trigger the
SIDgentask to generate SIDs for existing users and groups. This task might be resource-intensive:
[root@server ~]# ipa config-mod --enable-sid --add-sids
Verify that the IdM
adminuser account entry has an
ipantsecurityidentifierattribute with a SID that ends with
-500, the SID reserved for the domain administrator:
[root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500